From d21af173677127813b63a61a97131de821a680d6 Mon Sep 17 00:00:00 2001
From: cinap_lenrek <cinap_lenrek@felloff.net>
Date: Fri, 30 Jan 2015 13:41:23 +0100
Subject: [PATCH] wifi: fix recvbeacon()

we used to read beyond the boundaries of the becon because of
the end pointer was offset by the beacon header. this is
also what caused the double entries.
---
 sys/src/9/pc/wifi.c | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

diff --git a/sys/src/9/pc/wifi.c b/sys/src/9/pc/wifi.c
index 19c5b3676..743f0cac8 100644
--- a/sys/src/9/pc/wifi.c
+++ b/sys/src/9/pc/wifi.c
@@ -372,10 +372,10 @@ static void
 recvbeacon(Wifi *wifi, Wnode *wn, uchar *d, int len)
 {
 	static uchar wpa1oui[4] = { 0x00, 0x50, 0xf2, 0x01 };
-	uchar *e, *x, *p;
-	uchar t, m[256/8];
+	uchar *e, *x, *p, t;
 
-	if(len < 8+2+2)
+	len -= 8+2+2;
+	if(len < 0)
 		return;
 
 	d += 8;	/* timestamp */
@@ -384,19 +384,12 @@ recvbeacon(Wifi *wifi, Wnode *wn, uchar *d, int len)
 	wn->cap = d[0] | d[1]<<8;
 	d += 2;
 
-	memset(m, 0, sizeof(m));
 	for(e = d + len; d+2 <= e; d = x){
 		d += 2;
 		x = d + d[-1];
-		if(x > e)
+		if(x > e)			
 			break;	/* truncated */
 		t = d[-2];
-
-		/* skip double entries */
-		if(m[t/8] & 1<<(t%8))
-			continue;
-		m[t/8] |= 1<<(t%8);
-
 		switch(t){
 		case 0:		/* SSID */
 			len = 0;